Hacking: A discussion

antielvis

I'd be interested in thoughts on hacking specific to the more whitehat style like what Weev (Andrew Auernheimer) did? If you aren't aware, he apparently made minor changes to the URL of an AT&T website & was able to steal a ton of data which he posted in redacted form on Gawker

Right, wrong or both? I recognize that just because the door of a house is open, you do not have the right to walk into the house and steal things. But, on the flipside, I think it's very fair to ask serious questions as to why a large firm has such shoddy security. Many of these hacks are not the work of a red team doing a month of reconnaisance & pen testing. It's the work of a long computer "hacker" equipped with common knowledge.

If Weev could exploit something like this, what can a well funded, organized team do? And that's a question no one seems to be asking.

wes allen

Probably the wrong way to disclose the flaw, though I think his punishment is way out of proportion with the "crime". That said, many other serious flaws are reasonably and responsibly disclosed without all the "hey, look at me" behavior.

f0rgiv3n

I say it's definitely wrong. But that doesn't mean there's a good way to go about it right now. Many times have I read of individuals being sued for notifying a company that they had a problem with their security. I think there should be a law in place to protect "good hack'Samaritans" that find these flaws and notify the company. I think if this were in place, it would facilitate a more friendly hacker<->company communication.

YFZblu

antielvis wrote: »

If Weev could exploit something like this, what can a well funded, organized team do? And that's a question no one seems to be asking.

Plenty of people are asking this. The issue is, the answer isn't pretty. A well-funded, organized, stealthy team will pwn you. To what extent and for how long? Well, that's something the organization being pwned does have more control over.

To answer your question, I think it's wrong to poke at and/or exploit any organization if one does not have written permission. That being said, I do not feel bad for organizations that get compromised because they were clearly negligent regarding their obvious vulnerabilities.

antielvis

Well Wes, you'd want to think that, but it's not always the case. There are companies that turn a blind eye to when someone contacts them with a potential exploit. Perhaps it's because reporting the problem may well put the administrator in questionable light by management?

Think about the most recent 0day Java flaw. Given how high profile it was (and out of band) how come so many large firms (some tech) were comprimised? A few years back I did a project for a firm that had NEVER patched anything. When I spoke to the individual in charge of IT his response was pretty much who cares and who was I to ask such questions (ignoring why he had hired me in the first place). That mentality isn't that uncommon.

wes allen

True, but from what I have read, most responsible disclosure has an element of "if you don't fix, or disclose the flaw withing x days, then it will go public." Now, there are companies out there that then threaten to sue/jail anyone who does disclose a flaw, but those are becoming fewer it seems. Still way to many cease and desist type orders coming out for announced presentations at security conferences. So, I am not against public disclosure at all, just think you need to give the affected party a chance to do a fix first.

paul78

Regardless of the motive, his actions are considered a felony and frankly unethical. I am not in one bit symphatetic to his plight. I do think that the sentence is a bit severe only because of the length of prison term.